b'Review of the SEC\xe2\x80\x99s Practices for Sanitizing\nDigital Information System Media\n\n\n\n\n                                        May 30, 2014\n                                       Report No. 521\n\x0c                                          UNITED STATES\n                           SECURITIES AND EXCHANGE COMMISSION\n                                      WASHINGTON, D.C. 20549\n    OFFICE OF\nINSPECTOR GENERAL\n\n\n\n\n                                     MEMORANDUM\n\n                                         May 30, 2014\n\nTo:           Thomas A. Bayer, Chief Information Officer, Office of Information Technology\n\nFrom:         Carl W. Hoecker, Inspector General, Office of Inspector General\n\nSubject:      Review of the SEC\xe2\x80\x99s Practices for Sanitizing Digital Information System Media,\n              Report No. 521\n\nAttached is the Office of Inspector General\xe2\x80\x99s (OIG) final report detailing the results of our\nreview of the U.S. Securities and Exchange Commission\xe2\x80\x99s (SEC) practices for sanitizing digital\ninformation system media (media). The report contains eight recommendations for corrective\naction that, if fully implemented, should strengthen the SEC\xe2\x80\x99s media sanitization controls.\n\nOn April 30, 2014, we provided you with a draft of our report for your review and comment. In\nyour May 21, 2014, response, you concurred with all of our recommendations. We have\nincluded your response as Appendix IV in the final report.\n\nWithin the next 45 days, please provide the OIG with a written corrective action plan that\naddresses the recommendations. The corrective action plan should include information such\nas the responsible official/point of contact, timeframe for completing required actions, and\nmilestones identifying how your office will address the recommendations.\n\nWe appreciate the courtesies and cooperation extended to us during the review. If you have\nquestions, please contact me or Rebecca L. Sharek, Deputy Inspector General for Audits,\nEvaluations, and Special Projects.\n\nAttachment\n\n\ncc:     Mary Jo White, Chair\n        Erica Y. Williams, Deputy Chief of Staff, Office of the Chair\n        Luis A. Aguilar, Commissioner\n        Paul Gumagay, Counsel, Office of Commissioner Aguilar\n        Daniel M. Gallagher, Commissioner\n        Benjamin Brown, Counsel, Office of Commissioner Gallagher\n        Kara M. Stein, Commissioner\n        Tyler Gellasch, Counsel, Office of Commissioner Stein\n        Michael S. Piwowar, Commissioner\n        Jaime Klima, Counsel, Office of Commissioner Piwowar\n\x0cJeffery Heslop, Chief Operating Officer\nAnne K. Small, General Counsel\nTimothy Henseler, Director, Office of Legislative and Intergovernmental Affairs\nJohn J. Nester, Director, Public Affairs\nPamela Dyson, Deputy Director, Office of Information Technology\nTodd Scharf, Associate Director, Chief Information Security Officer\nBarry Walters, Director, Office of Support Operations/Chief FOIA Officer\nOlivier Girod, Chief, Office of Building Operations\nVance Cathell, Director, Office of Acquisitions\nDavid Glockner, Regional Director, Chicago Regional Office\nBarry Isenman, Assistant Director, Chicago Regional Office\nAndrew Calamari, Regional Director, New York Regional Office\nRobert Keyes, Associate Regional Director, New York Regional Office\nSharon Binger, Regional Director, Philadelphia Regional Office\nEdward Fallacro, Chief of Regional Office Operations, Philadelphia Regional Office\nDarlene L. Pryor, Management and Program Analyst, Office of the Chief\n   Operating Officer\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                                 OFFICE OF INSPECTOR GENERAL\n\n\n\nExecutive Summary                                  Review of the SEC\xe2\x80\x99s Practices for Sanitizing\n                                                   Digital Information System Media\n                                                   Report No. 521\n                                                   May 30, 2014\n\nWhy We Did This Review                       What We Found\nThe U.S. Securities and Exchange             The SEC Office of Information Technology (OIT) sanitizes surplus and\nCommission (SEC) generates and               obsolete media by destroying it, which minimizes the risk of unauthorized\ncollects commercially valuable, market-      disclosure of information. However, we visited the SEC\xe2\x80\x99s Washington,\nsensitive, proprietary, and other            D.C., headquarters and three of the agency\xe2\x80\x99s regional offices\nnonpublic information. To safeguard          (Philadelphia, New York, and Chicago) and identified needed\nagainst unauthorized disclosure of this      improvements in the agency\xe2\x80\x99s sanitization and disposal practices.\ninformation, the SEC requires that           Specifically, we found that the SEC did not always\ndigital information system media                \xef\x82\xb7 store media awaiting sanitization, particularly surplus hard drives, in\n(media), including computer hard                  secure containers or cabinets to prevent pilferage;\ndrives, compact discs, digital video\ndiscs, and data tapes used to process           \xef\x82\xb7 encrypt laptop computer hard drives, although encryption is required\nand store information, be sanitized               and unencrypted laptop computer hard drives awaiting sanitization\nbefore disposal. Effective sanitization           were found to contain large amounts of nonpublic information,\n                                                  including personally identifiable information;\nminimizes the risk of unauthorized\nrelease of information that is potentially      \xef\x82\xb7 inventory or track hard drives during the sanitization process; and\ndamaging to the agency, its employees\nand contractors, and those entities that        \xef\x82\xb7 sanitize failed disks that were part of the agency\xe2\x80\x99s data center\n                                                  redundant storage arrays before returning such disks to a vendor.\nthe SEC regulates. To determine\nwhether the SEC effectively sanitizes        We also determined that SEC employees did not always witness the third-\nsurplus media before its disposal, the       party destruction of media or obtain accurate or complete certificates of\nOffice of Inspector General contracted       destruction.\nthe services of Networking Institute of      After issuing to management a discussion draft of our report highlighting\nTechnology, Inc. (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in     these results, we learned that the OIT, on April 7, 2014, rescinded its\nthis report) to evaluate the agency\xe2\x80\x99s        Media Destruction Procedure and revised its SEC OIT Security Policy\nmedia sanitization practices.                Framework and accompanying handbook. Those documents established\n                                             many of the media sanitization and disposal requirements that agency\nWhat We Recommended                          personnel were not consistently following.\nTo provide reasonable assurance that         We communicated to the OIT our concern that those changes eliminated\nthe SEC\xe2\x80\x99s obsolete and surplus media         previously established controls over media sanitization and disposal rather\ncontaining sensitive information are         than ensure that such controls were working effectively. Subsequently, the\nproperly safeguarded and sanitized           OIT agreed to reestablish some requirements to address the weaknesses\nbefore disposal, we made eight               we observed. Those weaknesses existed because of a lack of clear lines\nrecommendations for corrective action.       of authority and roles and responsibilities for media sanitization. Also, the\nThe recommendations address surplus          OIT did not adequately oversee agencywide sanitization and disposition\nmedia storage, laptop encryption,            processes, including those of the regional offices. In addition, responsible\ninventorying and tracking of surplus         personnel did not consistently follow or were unaware of applicable\nhard drives, sanitization of failed hard     policies and procedures. Finally, there were no enforcement or\ndisks used in disk arrays, certificates of   compliance controls in place to detect and prevent the weaknesses we\ndestruction, media sanitization policies     observed. According to management\xe2\x80\x99s response to the draft of our report,\nand procedures, and implementation of        the OIT is reviewing its Media Destruction Procedure and intends to\nverification activities. Management          replace it with multiple procedures addressing media sanitization.\nconcurred with the recommendations,          During the course of our review, we also found on the SEC\xe2\x80\x99s\nwhich will be closed upon completion         enterprisewide network drives large amounts of sensitive, nonpublic\nand verification of corrective action.       information that was available to all employees and contractors with\nBecause this report contains sensitive       access to the network. Upon notification, management restricted access\ninformation about the SEC\xe2\x80\x99s                  to the drives, pending further review by the OIT.\ninformation security program, we are\nnot releasing it publicly.                   For additional information, contact the Office of Inspector General at\n                                             (202) 551-6061 or www.sec.gov/about/offices/inspector_general.shtml.\n\n                                                             i\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                        OFFICE OF INSPECTOR GENERAL\n\n\nTo Report Fraud, Waste, or Abuse, Please Contact:\n  Web:               www.reportlineweb.com/sec_oig\n\n  Email:             oig@sec.gov\n\n  Telephone:         (877) 442-0854\n\n  Fax:               (202) 772-9265\n\n  Address:           U.S. Securities and Exchange Commission\n                     Office of Inspector General\n                     100 F Street, N.E.\n                     Washington, DC 20549-2736\n\n\nComments and Suggestions\n  If you wish to comment on the quality or usefulness of this report or suggest ideas for\n  future audits, please contact Rebecca Sharek, Deputy Inspector General for Audits,\n  Evaluations, and Special Projects at sharekr@sec.gov or call (202) 551-6083.\n  Comments, suggestions, and requests can also be mailed to the attention of the\n  Deputy Inspector General for Audits, Evaluations, and Special Projects at the\n  address listed above.\n\n\n\n\nREPORT NO. 521                                                                MAY 30, 2014\n\x0c'